Embed Size (px)
Citation preview
From Our House to
Yours
Brian T. O’Hara CISA, CISM, CRISC
CISO, The Mako Group, LLC
260.241.4799
The Mako Group, LLC
“The Mako Group, LLC is as an Information
Technology and Systems security, compliance,
and consulting firm, specializing in audit,
compliance, Enterprise Risk Management and
data security in both private and public sectors.
As CISO, my responsibilities include the
oversight and management of security related
functions and services including audit and
regulatory compliance reviews, Enterprise Risk
Management (ERM), and development of
strategic planning with regard to current and
emerging security technologies.”
Introduction
• Health Care
• Banking
• SOX
• PCI
• Government
• Critical Infrastructure
• SOC (Service Organization Control)
• Manufacturing
HEALTH CARE
2013-2014
Audit And Compliance Authority
• DHHS Department of Health & Human Services– Charged with administering HIPAA
• OCR Office for Civil Rights– Charged with Enforcement
• KPMG– Audit Subcontractor to OCR
HIPAA
• HITECH Act– Breach Notification
– Business Associate Agreements
– Security Rule
• OMNIBUS Rule– Enforcement Rule
• BA Chain of Assurance
– Clarification of Rules
OCR/KPMG Audit Hot Buttons
• Risk Management
• Risk Assessment
• Risk Management Strategy
• IT Strategic Planning
• Key Phrases
– “Culture of Compliance”
– “Visible Demonstrable Evidence”
PERSISTENT PROBLEMS
• Lack of Knowledge
• Poor Risk Based Decision Making
• Resources
• “Experts”
• Shaming Tactics
Trends
• Poor/Non-Existent Risk Management
• Poor Understanding of Regulations
• Denial
• Overwhelmed– Don’t know where to start
– Don’t understand regulations
• Lots of “Experts” and “Certified” products*– ISC2 CISPP Certification
BANKING
2013-2014
FFIEC TSP Guidance
• FFIEC Statement of Authority
– Anyone who does business with a financial institution
falls under their jurisdiction *
• FDIC Audits
– Now available but you must ask
– TSP should be providing these
FFIEC Cloud Guidance
• Add On to Vendor Management
FFIEC Social Media
Guidance
• Inclusion in Risk Assessment and ERM
– Owning the namespace
• Brand Protection
– Owning and Controlling Data
• Account access controls
– Monitoring Brand Usage
ACH
PERSISTENT PROBLEMS
• Risk Based Decision Making
• Human Behavior
• Cost (not so much)
Trends
• Risk Management and ERM
• BOD Involvement
• Risk Based Vendor Management
• Social Media
SOX
10 Years After
• Beast of Burden?
• Has It Helped?
– Madoff
– CHASE
– Freddie Mx
• Too Large To Fail?
– again
PCAOB Scrutiny
• Pressuring Accounting firms to further verify information coming out of systems
PCI
PCI 3.0
Changes 2013-2015
Goals of Standards Clarification
• Drive more consistency among assessors
• Help manage evolving risks / threats
• Align with changes in industry best practices
• Clarify scoping and reporting
• Eliminate redundant sub-requirements and consolidate
documentation
• Provide stronger focus on some of the greater risk areas in the
threat environment
• Provide increased clarity on PCI DSS & PA-DSS requirements
• Build greater understanding on the intent of the requirements and
how to apply them
• Improve flexibility for all entities implementing, assessing, and
building to the Standards
Change Categories
• Clarification
• Additional Guidance
• Evolving Requirements
– Passwords and Passphrases
Rankings (Updated)
• In Place
• In Place with Compensating Controls
• Not Applicable
• Not In Place
• Not Tested
Review of Target and Neiman Marcus
COMPLIANCE DOES NOT MEAN SECURITY
PERSISTENT PROBLEMS
• Inconsistent application of standards in audit from QSAs
• Inconsistent knowledge from acquiring banks
• Slow Adoption of EVM Chip Based Technology
– Has been successfully breached but extremely difficult, time
consuming, and expensive.
Trends
• Tighter controls on applications
• Tighter controls on terminal devices
– Physical seals used much like weights and measures
• Move to EVM Chip Based Cards
– Provides end to end encryption
– Already in Use in EU
– Some in Use Today in US
PUBLIC SECTOR
2013-2014NIST and FISMA
NIST
• SP 800 Series
• SP 800-53 Rev 4 Security and Privacy Controls for Federal
Information Systems and Organizations • Those certified under Rev 3 will have catch up work to do
• New control mappings
FISMA
• Federal Information Security Act of 2002
• Required of all Federal Agencies or Sub Contractors
– “Chain of Assurance”
• DoD Does Own Thing
– Examples
• FDA, DHHS, IRS, etc.
PERSISTENT PROBLEMS
• Standards Keeping Pace
• Compliance does not = security
• Cost
Trends
• “Chain of Assurance”*
– Any subcontractor doing business with an agency required to have
completed FISMA audits, must also undergo FISMA audit and meet
requirements
CRITICAL INFRASTRUCTURE
“systems and assets, whether physical or virtual, so vital to
the United States that the incapacity or destruction of such
systems and assets would have a debilitating impact on
security, national economic security, national public health
or safety, or any combination of those matters.”
From President Obama’s Executive Order – Improving Critical Infrastructure Cybersecurity February 12, 2013.
Industrial Control
Systems (ICS)
• SCADA
– Supervisory Control And Data Acquisition
• Typically larger than traditional stand alone ICS
– Water plant versus small manufacturing
– Examples
• Water Utility
• Power Utility
• Supply Chain
• Transportation
PERSISTENT PROBLEMS
• Lack of Security in Design Phase
• Costly Upgrades
• Poor Inter Vendor Operability
• Poor Industry Awareness
• Poor Regulations
Trends
• Just Scratching the Surface
• Increased Vendor Awareness and Diligence
• Improving Operator Awareness Via Training
• ICS-CERT
SOC Updates
SSAE16 Is Dead and Gone
No Longer SSAE16
• SOC 1
• SOC 2
• SOC 3
SHOULD RESULT IN NO DEFICIENCIES!
SOC 1
• Primarily for User Auditors
– Internal Controls Related to Financial Reporting
SOC 2
• Describes the suitability of design and operating effectiveness of controls at a service organization relevant to security, availability, processing integrity or confidentiality.
• Becoming More prevalent
• Involves 5 Security Trust Principles
• Standard Being Updated
SOC 3
• Similar to SOC 2 but does not disclose detailed controls and testing.
• More for Public Awareness
– Website Logos
PERSISTENT PROBLEMS
• Terminology Confusion
– SSAE16, SOC 1, etc.
• Standards Evolving
• HUGE CHANGE
– From SAS70
Trends
• More SOC 2 Reports
• Better Understanding of
– Target Audience
– Purpose
– Trust Security Principles
Summary Top Issues
1. Risk Management
2. Vendor Management
3. BYO(C)(D)
4. Social Media
5. Cloud Computing
6. “Chain of Assurance”
7. Application Security
8. Mobile Device Security
Summary
• Some Things Never Change
– Behavior
• Some Things Always Change
– Regulations
– Examiner Expectations
• Compliance Does Not Lead To Security
• Security Will Lead To Compliance
Q&A
BREAK
5 Minutes
TOOLS
RECON FOR AUDITORS
TOOLS
• Beginners
– InSSIDER
– Nmap
– MBSA
• Intermediate
– MS EMET
• Advanced
– Wireshark
InSSIDER
• Home of Wi-Fi Reconnaissance Tools (Metageek.net)
– Spectrum Analyzers
– SSID Identifier (free and paid)
– Wi-Fi Packet Analyzers
InSSIDER
Nmap
• Network Cartography
– Free
– Easy to use
– Non Intrusive
– Non Disruptive
• With exceptions
– CLI and Gui
– Scanme.org
Nmap
Nmap
MBSA
MBSA
• Patch Status
• Reboot Status
• Administrator Access Status
• Non-Expiring Passwords
• IIS Misconfigurations
• SQL Misconfigurations
– Runtimes AND Instances
MBSA
Microsoft EMET
• MS Enhanced Mitigation Experience Toolkit (4.1)
– “The Enhanced Mitigation Experience Toolkit (EMET) is a utility that
helps prevent vulnerabilities in software from being successfully
exploited. EMET achieves this goal by using security mitigation
technologies. These technologies function as special protections and
obstacles that an exploit author must defeat to exploit software
vulnerabilities. These security mitigation technologies do not
guarantee that vulnerabilities cannot be exploited. However, they
work to make exploitation as difficult as possible to perform.”
EMET
Wireshark
• “Wireshark is the world's foremost network protocol
analyzer. It lets you see what's happening on your network
at a microscopic level. It is the de facto (and often de jure)
standard across many industries and educational
institutions.”
• For Advanced Users
• Packet Capture and Analysis Tool
– Identify data exfiltration
– Identify C&C Traffic
Wireshark
Q&A
From Our House to
Yours
THANKS!
Brian T. O’Hara CISA, CISM, CRISC
CISO, The Mako Group, LLC
260.241.4799
